f7ffda8d8e1949fa2b1cbba487da7a3f441e72738cae3464fbde37d4ff161ac1

General

Target

untraceable.exe
Size

276KB
MD5

a94f3dfa9b2a83a76a66df2c42417fc1
SHA1

aa3d96ab3e0804f7e8db835d196b3e8720e40058
SHA256

49bb6af84f5bccc3e2e12d0eb5df3babf5598ca786c45952da456ab6c9481ed3
SHA512

35e44614f63753e81a92314fe21a721082edbb66b3d1974abdc111b5207c575c7cc6372911576eb719d9d3f6e00de6431ad2a9b7c23468d44b3a93ddf18360e2
SSDEEP

3072:qg4rNxFtnmCtGZaweOmXY4N3eiQCJWvyxNNWvhp2wwNKaJAchPJolPkoLCDUc/h:r4/7tGZawejXY4N3UlyxzWGz9fDUcZ

Score

8^/10

evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

2680 netsh.exe
1820 netsh.exe
3096 netsh.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2680	netsh.exe
1820	netsh.exe
3096	netsh.exe

Drops file in Windows directory 6 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	cmd.exe
File opened for modification	C:\Windows\Logs\waasmedic\WAASME~1.ETL	cmd.exe
File opened for modification	C:\Windows\Logs\waasmedic\WAASME~2.ETL	cmd.exe
File opened for modification	C:\Windows\Logs\waasmedic\WAASME~3.ETL	cmd.exe
File opened for modification	C:\Windows\Logs\waasmedic\WAASME~4.ETL	cmd.exe
File opened for modification	C:\Windows\Logs\waasmedic\WAACF5~1.ETL	cmd.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Kills process with taskkill 40 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1924	taskkill.exe
4448	taskkill.exe
3148	taskkill.exe
1324	taskkill.exe
5064	taskkill.exe
1732	taskkill.exe
4552	taskkill.exe
4288	taskkill.exe
4044	taskkill.exe
2356	taskkill.exe
4592	taskkill.exe
1988	taskkill.exe
3684	taskkill.exe
2924	taskkill.exe
4396	taskkill.exe
1656	taskkill.exe
1348	taskkill.exe
4512	taskkill.exe
2968	taskkill.exe
3084	taskkill.exe
4304	taskkill.exe
1076	taskkill.exe
4668	taskkill.exe
2072	taskkill.exe
4896	taskkill.exe
1412	taskkill.exe
3728	taskkill.exe
4876	taskkill.exe
4688	taskkill.exe
1448	taskkill.exe
4144	taskkill.exe
4116	taskkill.exe
3696	taskkill.exe
4124	taskkill.exe
4332	taskkill.exe
3416	taskkill.exe
1392	taskkill.exe
2156	taskkill.exe
4688	taskkill.exe
3628	taskkill.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4552	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	3084	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	4448	taskkill.exe
Token: SeDebugPrivilege	3416	taskkill.exe
Token: SeDebugPrivilege	1412	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	3148	taskkill.exe
Token: SeDebugPrivilege	4512	taskkill.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	4144	taskkill.exe
Token: SeDebugPrivilege	4876	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	5064	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	3684	taskkill.exe
Token: SeDebugPrivilege	4124	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	4668	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	2968	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

untraceable.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4500 wrote to memory of 2252	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 2252	4500	untraceable.exe	cmd.exe
PID 2252 wrote to memory of 4552	2252	cmd.exe	taskkill.exe
PID 2252 wrote to memory of 4552	2252	cmd.exe	taskkill.exe
PID 4500 wrote to memory of 5104	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 5104	4500	untraceable.exe	cmd.exe
PID 5104 wrote to memory of 1448	5104	cmd.exe	taskkill.exe
PID 5104 wrote to memory of 1448	5104	cmd.exe	taskkill.exe
PID 4500 wrote to memory of 744	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 744	4500	untraceable.exe	cmd.exe
PID 744 wrote to memory of 4332	744	cmd.exe	taskkill.exe
PID 744 wrote to memory of 4332	744	cmd.exe	taskkill.exe
PID 4500 wrote to memory of 4848	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 4848	4500	untraceable.exe	cmd.exe
PID 4848 wrote to memory of 3084	4848	cmd.exe	taskkill.exe
PID 4848 wrote to memory of 3084	4848	cmd.exe	taskkill.exe
PID 4500 wrote to memory of 3216	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 3216	4500	untraceable.exe	cmd.exe
PID 3216 wrote to memory of 1924	3216	cmd.exe	taskkill.exe
PID 3216 wrote to memory of 1924	3216	cmd.exe	taskkill.exe
PID 4500 wrote to memory of 2060	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 2060	4500	untraceable.exe	cmd.exe
PID 2060 wrote to memory of 1656	2060	cmd.exe	taskkill.exe
PID 2060 wrote to memory of 1656	2060	cmd.exe	taskkill.exe
PID 4500 wrote to memory of 3592	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 3592	4500	untraceable.exe	cmd.exe
PID 3592 wrote to memory of 4448	3592	cmd.exe	taskkill.exe
PID 3592 wrote to memory of 4448	3592	cmd.exe	taskkill.exe
PID 4500 wrote to memory of 1836	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 1836	4500	untraceable.exe	cmd.exe
PID 1836 wrote to memory of 3416	1836	cmd.exe	taskkill.exe
PID 1836 wrote to memory of 3416	1836	cmd.exe	taskkill.exe
PID 4500 wrote to memory of 3436	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 3436	4500	untraceable.exe	cmd.exe
PID 3436 wrote to memory of 1412	3436	cmd.exe	taskkill.exe
PID 3436 wrote to memory of 1412	3436	cmd.exe	taskkill.exe
PID 4500 wrote to memory of 3828	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 3828	4500	untraceable.exe	cmd.exe
PID 3828 wrote to memory of 1392	3828	cmd.exe	taskkill.exe
PID 3828 wrote to memory of 1392	3828	cmd.exe	taskkill.exe
PID 4500 wrote to memory of 3212	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 3212	4500	untraceable.exe	cmd.exe
PID 3212 wrote to memory of 1348	3212	cmd.exe	taskkill.exe
PID 3212 wrote to memory of 1348	3212	cmd.exe	taskkill.exe
PID 4500 wrote to memory of 2284	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 2284	4500	untraceable.exe	cmd.exe
PID 2284 wrote to memory of 1200	2284	cmd.exe	reg.exe
PID 2284 wrote to memory of 1200	2284	cmd.exe	reg.exe
PID 4500 wrote to memory of 3728	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 3728	4500	untraceable.exe	cmd.exe
PID 3728 wrote to memory of 3008	3728	cmd.exe	reg.exe
PID 3728 wrote to memory of 3008	3728	cmd.exe	reg.exe
PID 4500 wrote to memory of 3052	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 3052	4500	untraceable.exe	cmd.exe
PID 3052 wrote to memory of 4828	3052	cmd.exe	reg.exe
PID 3052 wrote to memory of 4828	3052	cmd.exe	reg.exe
PID 4500 wrote to memory of 2180	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 2180	4500	untraceable.exe	cmd.exe
PID 2180 wrote to memory of 4780	2180	cmd.exe	reg.exe
PID 2180 wrote to memory of 4780	2180	cmd.exe	reg.exe
PID 4500 wrote to memory of 2044	4500	untraceable.exe	cmd.exe
PID 4500 wrote to memory of 2044	4500	untraceable.exe	cmd.exe
PID 2044 wrote to memory of 4544	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 4544	2044	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\untraceable.exe
"C:\Users\Admin\AppData\Local\Temp\untraceable.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicWebHelper.exe 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicWebHelper.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f > nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f
3⤵
PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKCU\SOFTWARE\Epic Games" /f > nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Epic Games" /f
3⤵
PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f > nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
3⤵
PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f > nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f
3⤵
PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f > nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f
3⤵
PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f > nul 2>&1
2⤵
PID:4844

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
3⤵
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f > nul 2>&1
2⤵
PID:4348

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f
3⤵
PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f > nul 2>&1
2⤵
PID:1800

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f
3⤵
PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f > nul 2>&1
2⤵
PID:932

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
3⤵
PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f > nul 2>&1
2⤵
PID:4452

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
3⤵
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f > nul 2>&1
2⤵
PID:4672

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f
3⤵
PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f > nul 2>&1
2⤵
PID:924

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f
3⤵
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f > nul 2>&1
2⤵
PID:5048

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
3⤵
PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f > nul 2>&1
2⤵
PID:4684

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f
3⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKCR\com.epicgames.eos" /f > nul 2>&1
2⤵
PID:1076

C:\Windows\system32\reg.exe
reg delete "HKCR\com.epicgames.eos" /f
3⤵
PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f > nul 2>&1
2⤵
PID:3720

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
3⤵
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\EpicGames" /f > nul 2>&1
2⤵
PID:1084

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\EpicGames" /f
3⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f > nul 2>&1
2⤵
PID:4356

C:\Windows\system32\reg.exe
reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f
3⤵
PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall reset > nul 2>&1
2⤵
PID:4836

C:\Windows\system32\netsh.exe
netsh advfirewall reset
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\ > nul 2>&1
2⤵
PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\ > nul 2>&1
2⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\ > nul 2>&1
2⤵
PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Temp\ > nul 2>&1
2⤵
PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Windows\Temp\ > nul 2>&1
2⤵
PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Windows\Prefetch\ > nul 2>&1
2⤵
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Temp\ > nul 2>&1
2⤵
PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.etl > nul 2>&1
2⤵
PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.log > nul 2>&1
2⤵
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.tmp > nul 2>&1
2⤵
PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.old > nul 2>&1
2⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\untraceable.exe
"C:\Users\Admin\AppData\Local\Temp\untraceable.exe"
1⤵
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe 2>&1
2⤵
PID:3008

C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicWebHelper.exe 2>&1
2⤵
PID:3104

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicWebHelper.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe 2>&1
2⤵
PID:1416

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe 2>&1
2⤵
PID:2604

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe 2>&1
2⤵
PID:4600

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe 2>&1
2⤵
PID:932

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe 2>&1
2⤵
PID:1368

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe 2>&1
2⤵
PID:1044

C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe 2>&1
2⤵
PID:2848

C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe 2>&1
2⤵
PID:3044

C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe 2>&1
2⤵
PID:1324

C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f > nul 2>&1
2⤵
PID:1068

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f
3⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKCU\SOFTWARE\Epic Games" /f > nul 2>&1
2⤵
PID:1920

C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Epic Games" /f
3⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f > nul 2>&1
2⤵
PID:2328

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
3⤵
PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f > nul 2>&1
2⤵
PID:4916

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f
3⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f > nul 2>&1
2⤵
PID:5064

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f
3⤵
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f > nul 2>&1
2⤵
PID:4556

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
3⤵
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f > nul 2>&1
2⤵
PID:5060

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f
3⤵
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f > nul 2>&1
2⤵
PID:4424

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f
3⤵
PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f > nul 2>&1
2⤵
PID:100

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
3⤵
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f > nul 2>&1
2⤵
PID:3560

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
3⤵
PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f > nul 2>&1
2⤵
PID:996

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f
3⤵
PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f > nul 2>&1
2⤵
PID:1152

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f
3⤵
PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f > nul 2>&1
2⤵
PID:2524

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
3⤵
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f > nul 2>&1
2⤵
PID:3176

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f
3⤵
PID:900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKCR\com.epicgames.eos" /f > nul 2>&1
2⤵
PID:408

C:\Windows\system32\reg.exe
reg delete "HKCR\com.epicgames.eos" /f
3⤵
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f > nul 2>&1
2⤵
PID:2224

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
3⤵
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\EpicGames" /f > nul 2>&1
2⤵
PID:1512

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\EpicGames" /f
3⤵
PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f > nul 2>&1
2⤵
PID:4820

C:\Windows\system32\reg.exe
reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f
3⤵
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall reset > nul 2>&1
2⤵
PID:3252

C:\Windows\system32\netsh.exe
netsh advfirewall reset
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher" > nul 2>&1
2⤵
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\%username%\AppData\Local\FortniteGame" > nul 2>&1
2⤵
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\%username%\AppData\Local\Epic Games" > nul 2>&1
2⤵
PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation" > nul 2>&1
2⤵
PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat" > nul 2>&1
2⤵
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\All Users\Epic\EpicGamesLauncher\Data\EMS\current" > nul 2>&1
2⤵
PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\%username%\AppData\Local\UnrealEngine" > nul 2>&1
2⤵
PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher" > nul 2>&1
2⤵
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\ProgramData\Epic\EpicOnlineServices" > nul 2>&1
2⤵
PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\ProgramData\Epic\EpicGamesLauncher\Data\EMS\current" > nul 2>&1
2⤵
PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Program Files (x86)\Epic Games\Epic Online Services\service" > nul 2>&1
2⤵
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\Shared Files" > nul 2>&1
2⤵
PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Program Files (x86)\Common Files\BattlEye" > nul 2>&1
2⤵
PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /S /Q "%systemdrive%\Program Files (x86)\EasyAntiCheat" > nul 2>&1
2⤵
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RMDIR /s /Q "%systemdrive%\$Recycle.bin" > nul 2>&1
2⤵
PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c el /q "%systemdrive%\ProgramData\Microsoft\Windows\WER\Temp\" > nul 2>&1
2⤵
PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\ProgramData\Microsoft\Windows\WER\Temp\*") do @rd /s /q "%x" > nul 2>&1
2⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Users\%username%\AppData\Local\Temp\*" > nul 2>&1
2⤵
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Users\%username%\AppData\Local\Temp\*") do @rd /s /q "%x" > nul 2>&1
2⤵
PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Windows\Temp\*" > nul 2>&1
2⤵
PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Windows\Temp\*") do @rd /s /q "%x" > nul 2>&1
2⤵
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Windows\TEMP\*" > nul 2>&1
2⤵
PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Windows\TEMP\*") do @rd /s /q "%x" > nul 2>&1
2⤵
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Windows\temp\*" > nul 2>&1
2⤵
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Windows\temp\*") do @rd /s /q "%x" > nul 2>&1
2⤵
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Program Files (x86)\Temp\*" > nul 2>&1
2⤵
PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Program Files (x86)\Temp\*") do @rd /s /q "%x" > nul 2>&1
2⤵
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Windows\Logs\*" > nul 2>&1
2⤵
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Windows\Logs\*") do @rd /s /q "%x" > nul 2>&1
2⤵
- Drops file in Windows directory
PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Users\%username%\AppData\Local\D3DSCache\*" > nul 2>&1
2⤵
PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Users\%username%\AppData\Local\D3DSCache\*") do @rd /s /q "%x" > nul 2>&1
2⤵
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Users\%username%\AppData\Local\CrashReportClient\*" > nul 2>&1
2⤵
PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Users\%username%\AppData\Local\CrashReportClient\*") do @rd /s /q "%x" > nul 2>&1
2⤵
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Windows\Prefetch\*" > nul 2>&1
2⤵
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Windows\Prefetch\*") do @rd /s /q "%x" > nul 2>&1
2⤵
PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Users\%username%\Recent\*" > nul 2>&1
2⤵
PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Users\%username%\Recent\*") do @rd /s /q "%x" > nul 2>&1
2⤵
PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Users\%username%\AppData\Local\AMD\*" > nul 2>&1
2⤵
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Users\%username%\AppData\Local\AMD\*") do @rd /s /q "%x" > nul 2>&1
2⤵
PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Users\%username%\AppData\Local\AMD_Common\*" > nul 2>&1
2⤵
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Users\%username%\AppData\Local\AMD_Common\*") do @rd /s /q "%x" > nul 2>&1
2⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds\*" > nul 2>&1
2⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /d %x in ("%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds\*") do @rd /s /q "%x" > nul 2>&1
2⤵
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe 2>&1
2⤵
PID:3724

C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicWebHelper.exe 2>&1
2⤵
PID:4192

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicWebHelper.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe 2>&1
2⤵
PID:816

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe 2>&1
2⤵
PID:4836

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe 2>&1
2⤵
PID:1696

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe 2>&1
2⤵
PID:4888

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe 2>&1
2⤵
PID:232

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe 2>&1
2⤵
PID:944

C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe 2>&1
2⤵
PID:3560

C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe 2>&1
2⤵
PID:3396

C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe 2>&1
2⤵
PID:2712

C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f > nul 2>&1
2⤵
PID:3736

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f
3⤵
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKCU\SOFTWARE\Epic Games" /f > nul 2>&1
2⤵
PID:1424

C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Epic Games" /f
3⤵
PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f > nul 2>&1
2⤵
PID:4448

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
3⤵
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f > nul 2>&1
2⤵
PID:616

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f
3⤵
PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f > nul 2>&1
2⤵
PID:3780

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f
3⤵
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f > nul 2>&1
2⤵
PID:2684

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
3⤵
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f > nul 2>&1
2⤵
PID:3256

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f
3⤵
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f > nul 2>&1
2⤵
PID:3280

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f
3⤵
PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f > nul 2>&1
2⤵
PID:4808

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
3⤵
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f > nul 2>&1
2⤵
PID:3436

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
3⤵
PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f > nul 2>&1
2⤵
PID:4656

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f
3⤵
PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f > nul 2>&1
2⤵
PID:2292

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f
3⤵
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f > nul 2>&1
2⤵
PID:3888

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
3⤵
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f > nul 2>&1
2⤵
PID:1216

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f
3⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKCR\com.epicgames.eos" /f > nul 2>&1
2⤵
PID:2876

C:\Windows\system32\reg.exe
reg delete "HKCR\com.epicgames.eos" /f
3⤵
PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f > nul 2>&1
2⤵
PID:4292

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
3⤵
PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\EpicGames" /f > nul 2>&1
2⤵
PID:2280

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\EpicGames" /f
3⤵
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f > nul 2>&1
2⤵
PID:4304

C:\Windows\system32\reg.exe
reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f
3⤵
PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall reset > nul 2>&1
2⤵
PID:2552

C:\Windows\system32\netsh.exe
netsh advfirewall reset
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\ > nul 2>&1
2⤵
PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\ > nul 2>&1
2⤵
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\ > nul 2>&1
2⤵
PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Users\%username%\AppData\Local\Temp\ > nul 2>&1
2⤵
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Windows\Temp\ > nul 2>&1
2⤵
PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Windows\Prefetch\ > nul 2>&1
2⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\Temp\ > nul 2>&1
2⤵
PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.etl > nul 2>&1
2⤵
PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.log > nul 2>&1
2⤵
PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.tmp > nul 2>&1
2⤵
PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.old > nul 2>&1
2⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.bak > nul 2>&1
2⤵
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.bac > nul 2>&1
2⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.bup > nul 2>&1
2⤵
PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.chk > nul 2>&1
2⤵
PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.dmp > nul 2>&1
2⤵
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\*.temp > nul 2>&1
2⤵
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe 2>&1
2⤵
PID:220

C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicWebHelper.exe 2>&1
2⤵
PID:4124

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicWebHelper.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe 2>&1
2⤵
PID:4548

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4044